Disclosed are various embodiments for a multi-tenant authentication and permissions framework. In a first embodiment, an interceptor intercepts a request to perform an operation with respect to a network resource from a client device, authenticates the client device has having a user identity with an authentication service, receives data from a permissions service indicating whether the user identity has permission to perform the operation, and forwards the request to perform the operation to a service.
Legal claims defining the scope of protection, as filed with the USPTO.
1. A non-transitory computer-readable medium embodying at least one program executable in at least one computing device, wherein when executed the at least one program causes the at least one computing device to at least: receive a request to perform an operation with respect to a network resource from a client device; determine a particular user class to which the client device belongs based at least in part on a network address of the client device, wherein the particular user class is one of a plurality of user classes; add a header to the request that indicates the particular user class; automatically select a particular authentication service of a plurality of authentication services according to the header of the request indicating the particular user class, wherein the plurality of authentication services are usable for authentication for access to the network resource; authenticate the client device has having a user identity with the particular authentication service; receive data from a permissions service indicating whether the user identity has permission to perform the operation; and forward the request to perform the operation to another service, wherein the forwarded request includes the data from the permissions service.
2. The non-transitory computer-readable medium of claim 1 , wherein determining the particular user class further comprises: identifying a network address range corresponding to the network address of the client device; and determining that the network address range corresponds to the particular user class.
3. The non-transitory computer-readable medium of claim 1 , wherein when executed the at least one program further causes the at least one computing device to at least, responsive to the request to perform the operation, send a request to perform an application programming interface (API) call to an API implementation, wherein the request is intercepted by an API interceptor, and the request to perform the API call includes the data from the permissions service.
4. The non-transitory computer-readable medium of claim 1 , wherein the operation comprises at least one of: a create operation, a read operation, an update operation, a delete operation, or an approve operation.
5. The non-transitory computer-readable medium of claim 1 , wherein the user identity is associated with a user group, and the permissions service determines whether the user identity has permission to perform the operation based at least in part on the user group and a role of the user identity in the user group.
6. A system, comprising: at least one computing device; and at least one interceptor executable in the at least one computing device, wherein when executed the at least one interceptor causes the at least one computing device to at least: intercept a request to perform an operation with respect to a network resource from a client device; determine a particular user class to which the client device belongs based at least in part on a network address of the client device, wherein the particular user class is one of a plurality of user classes; add a header to the request that indicates the particular user class; automatically select a particular authentication service of a plurality of authentication services according to the header of the request indicating the particular user class, wherein the plurality of authentication services are usable for authentication for access to the network resource; authenticate the client device has having a user identity with the particular authentication service; receive data from a permissions service indicating whether the user identity has permission to perform the operation; and forward the request to perform the operation to a service, wherein the forwarded request includes the data from the permissions service.
7. The system of claim 6 , wherein the operation comprises at least one of: a create operation, a read operation, an update operation, a delete operation, or an approve operation.
8. The system of claim 6 , wherein the user identity is associated with a user group, and the permissions service determines whether the user identity has permission to perform the operation based at least in part on the user group and a role of the user identity in the user group.
9. The system of claim 8 , wherein the permissions service determines the user group based at least in part on a determination whether the user identity corresponds to an internal user or an external user.
10. The system of claim 6 , wherein when executed in the at least one computing device the service causes the at least one computing device to at least: responsive to the request to perform the operation, send a request to perform an application programming interface (API) call to an API implementation, wherein the request is intercepted by an API interceptor, and the request to perform the API call includes the data from the permissions service.
11. The system of claim 10 , wherein when executed in the at least one computing device the API interceptor causes the at least one computing device to at least: verify that the user identity has permissions to perform the API call based at least in part on the data from the permissions service included in the request to perform the API call; cause the API call to be performed; filter a result of the API call by removing a portion of data from the result based at least in part on the data from the permissions service; and return the filtered result to the service.
12. The system of claim 6 , further comprising a user interface interceptor executable in at least one computing device, wherein when executed in the at least one computing device the user interface interceptor causes the at least one computing device to at least: receive the data from the permissions service and a result of performing the operation; determine from the data that the user identity has permission to view a user interface component; and cause a user interface component to be rendered on the client device.
13. A method, comprising: intercepting, via at least one of one or more computing devices, a request to perform an operation with respect to a network resource from a client device; determining, via at least one of the one or more computing devices, a particular user class to which the client device belongs based at least in part on a network address of the client device, wherein the particular user class is one of a plurality of user classes; adding, via at least one of the one or more computing devices, a header to the request that indicates the particular user class; automatically selecting, via at least one of the one or more computing devices, a particular authentication service of a plurality of authentication services according to the header of the request indicating the particular user class, wherein the plurality of authentication services are usable for authentication for access to the network resource; authenticating, via at least one of the one or more computing devices, the client device has having a user identity with the particular authentication service; receiving, via at least one of the one or more computing devices, data from a permissions service indicating whether the user identity has permission to perform the operation; and forwarding, via at least one of the one or more computing devices, the request to perform the operation to a service, wherein the forwarded request includes the data from the permissions service.
14. The method of claim 13 , wherein the operation comprises at least one of: a create operation, a read operation, an update operation, a delete operation, or an approve operation.
15. The method of claim 13 , wherein the user identity is associated with a user group, and the permissions service determines whether the user identity has permission to perform the operation based at least in part on the user group and a role of the user identity in the user group.
16. The method of claim 15 , wherein the permissions service determines the user group based at least in part on a determination whether the user identity corresponds to an internal user or an external user.
17. The method of claim 13 , further comprising, responsive to the request to perform the operation, sending, via at least one of the one or more computing devices, a request to perform an application programming interface (API) call to an API implementation, wherein the request is intercepted by an API interceptor, and the request to perform the API call includes the data from the permissions service.
18. The method of claim 17 , further comprising: verifying, via at least one of the one or more computing devices, that the user identity has permissions to perform the API call based at least in part on the data from the permissions service included in the request to perform the API call; causing, via at least one of the one or more computing devices, the API call to be performed; filtering, via at least one of the one or more computing devices, a result of the API call by removing a portion of data from the result based at least in part on the data from the permissions service; and returning, via at least one of the one or more computing devices, the filtered result to the service.
19. The method of claim 13 , further comprising: receiving, via at least one of the one or more computing devices, the data from the permissions service and a result of performing the operation; determining, via at least one of the one or more computing devices, from the data that the user identity has permission to view a user interface component; and causing, via at least one of the one or more computing devices, a user interface component to be rendered on the client device.
20. The method of claim 13 , wherein determining the particular user class further comprises: identifying, via at least one of the one or more computing devices, a network address range corresponding to the network address of the client device; and determining, via at least one of the one or more computing devices, that the network address range corresponds to the particular user class.
Cooperative Patent Classification codes for this invention. Click any code to explore related patents in that topic.
April 27, 2018
October 27, 2020
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.